PCI compliance awareness lacking in finance world: Survey

Some Australian chief financial officers have still not heard of PCI (Payment Card Industry) standards created by MasterCard and Visa despite coverage of data breaches, according to the findings of a survey.

The poll, which was commissioned by IP Payments and conducted in December 2011, found that out of 150 financial industry respondents in Australia, 77 per cent had not heard of PCI compliance.

In addition, 13 per cent of those surveyed in Australia knew of a business that had suffered a credit card data breach and a further 4 per cent admitted to suffering a breach themselves.

Of the 150 respondents, 63 per cent were from businesses that turned over $100 million or more each financial year.

IP Payments Australia director, Mark Lewis, told Computerworld Australia that he found the lack of awareness in the financial world surprising.

“In the successful PCI implementations that we’ve seen, at the end of the process the CFOs and the finance people are well and truly across compliance,” he said.

According to Lewis, this is because after going through PCI compliance procedures, company executives learn that it is “not just an IT problem” and it is unfair to burden the IT department with compliance implementation.

“There is a large part of the PCI standards which relate to securing systems and infrastructure but there are a lot of other policies and processes related to human resources which will need to be engaged in a PCI way if they are handling credit card data,” Lewis said.

Turning to education, he said the general marketing of PCI compliance is slowly changing.

“Our key message off the back of this survey is to get the message out to CFOs. We’ve been speaking with different banking media publications and asking the question, `Are you genuinely working towards compliance and is it on the agenda like a health and safety program?’,” Lewis said.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.